diff options
author | Simo Sorce <idra@samba.org> | 2010-07-23 14:47:36 -0400 |
---|---|---|
committer | Simo Sorce <idra@samba.org> | 2010-07-28 12:24:44 -0400 |
commit | 135a82e78f9537fb7b7f4b82fb7cba065737675f (patch) | |
tree | c024764fedf503f904ea6ebb716a04cac4a880b2 /source3 | |
parent | 72088096af8dbf57cbc85c71cd0eef4447e7560d (diff) | |
download | samba-135a82e78f9537fb7b7f4b82fb7cba065737675f.tar.gz samba-135a82e78f9537fb7b7f4b82fb7cba065737675f.tar.bz2 samba-135a82e78f9537fb7b7f4b82fb7cba065737675f.zip |
s3-decrpc: Introduce gssapi support for dcerpc krb5 auth
Diffstat (limited to 'source3')
-rw-r--r-- | source3/Makefile.in | 4 | ||||
-rw-r--r-- | source3/include/ntdomain.h | 8 | ||||
-rw-r--r-- | source3/librpc/rpc/dcerpc_gssapi.c | 404 | ||||
-rw-r--r-- | source3/librpc/rpc/dcerpc_gssapi.h | 47 | ||||
-rw-r--r-- | source3/rpc_client/cli_pipe.c | 153 |
5 files changed, 487 insertions, 129 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index 1b641a4072..91856c2945 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -676,7 +676,8 @@ RPC_SERVER_OBJ = @RPC_STATIC@ $(RPC_PIPE_OBJ) $(NPA_TSTREAM_OBJ) RPC_PARSE_OBJ = $(RPC_PARSE_OBJ2) -RPC_CLIENT_OBJ = rpc_client/cli_pipe.o librpc/rpc/rpc_common.o \ +RPC_CLIENT_OBJ = rpc_client/cli_pipe.o librpc/rpc/dcerpc_gssapi.o \ + librpc/rpc/rpc_common.o \ rpc_client/rpc_transport_np.o \ rpc_client/rpc_transport_sock.o \ rpc_client/rpc_transport_smbd.o @@ -1353,6 +1354,7 @@ RPC_OPEN_TCP_OBJ = torture/rpc_open_tcp.o \ $(RPC_CLIENT_OBJ1) \ librpc/rpc/rpc_common.o \ rpc_client/cli_pipe.o \ + librpc/rpc/dcerpc_gssapi.o \ ../librpc/rpc/binding.o \ $(LIBMSRPC_GEN_OBJ) diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h index c843bc9aea..065138152b 100644 --- a/source3/include/ntdomain.h +++ b/source3/include/ntdomain.h @@ -99,11 +99,7 @@ enum pipe_auth_type_spnego { PIPE_AUTH_TYPE_SPNEGO_KRB5 }; -/* auth state for krb5. */ -struct kerberos_auth_struct { - const char *service_principal; - DATA_BLOB session_key; -}; +struct gse_context; /* auth state for all bind types. */ @@ -115,7 +111,7 @@ struct pipe_auth_data { union { struct schannel_state *schannel_auth; struct auth_ntlmssp_state *auth_ntlmssp_state; - struct kerberos_auth_struct *kerberos_auth; /* Client only for now */ + struct gse_context *gssapi_state; /* Client only for now */ } a_u; /* Only the client code uses these 3 for now */ diff --git a/source3/librpc/rpc/dcerpc_gssapi.c b/source3/librpc/rpc/dcerpc_gssapi.c new file mode 100644 index 0000000000..e3e5eedac4 --- /dev/null +++ b/source3/librpc/rpc/dcerpc_gssapi.c @@ -0,0 +1,404 @@ +/* + * GSSAPI Security Extensions + * RPC Pipe client routines + * Copyright (C) Simo Sorce 2010. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +/* We support only GSSAPI/KRB5 here */ + +#include "includes.h" +#include <gssapi/gssapi.h> +#include <gssapi/gssapi_krb5.h> +#include "dcerpc_gssapi.h" + +#ifdef HAVE_GSSAPI_H + +static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min); + +struct gse_context { + krb5_context k5ctx; + krb5_ccache ccache; + + bool spnego_wrap; + + gss_ctx_id_t gss_ctx; + + OM_uint32 gss_c_flags; + gss_OID_desc gss_mech; + + gss_name_t server_name; + gss_cred_id_t cli_creds; + + DATA_BLOB session_key; + + bool more_processing; +}; + +/* free non talloc dependent contexts */ +static int gse_context_destructor(void *ptr) +{ + struct gse_context *gse_ctx; + OM_uint32 gss_min, gss_maj; + + gse_ctx = talloc_get_type_abort(ptr, struct gse_context); + if (gse_ctx->k5ctx) { + if (gse_ctx->ccache) { + krb5_cc_close(gse_ctx->k5ctx, gse_ctx->ccache); + gse_ctx->ccache = NULL; + } + krb5_free_context(gse_ctx->k5ctx); + gse_ctx->k5ctx = NULL; + } + if (gse_ctx->gss_ctx != GSS_C_NO_CONTEXT) { + gss_maj = gss_delete_sec_context(&gss_min, + &gse_ctx->gss_ctx, + GSS_C_NO_BUFFER); + } + if (gse_ctx->server_name) { + gss_maj = gss_release_name(&gss_min, + &gse_ctx->server_name); + } + + return 0; +} + +static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx, + enum dcerpc_AuthType auth_type, + enum dcerpc_AuthLevel auth_level, + const char *ccache_name, + uint32_t add_gss_c_flags, + struct gse_context **_gse_ctx) +{ + struct gse_context *gse_ctx; + krb5_error_code k5ret; + NTSTATUS status; + + gse_ctx = talloc_zero(mem_ctx, struct gse_context); + if (!gse_ctx) { + return NT_STATUS_NO_MEMORY; + } + talloc_set_destructor((TALLOC_CTX *)gse_ctx, gse_context_destructor); + + memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc)); + + switch (auth_type) { + case DCERPC_AUTH_TYPE_SPNEGO: + gse_ctx->spnego_wrap = true; + break; + case DCERPC_AUTH_TYPE_KRB5: + gse_ctx->spnego_wrap = false; + break; + default: + status = NT_STATUS_INVALID_PARAMETER; + goto err_out; + } + + gse_ctx->gss_c_flags = GSS_C_MUTUAL_FLAG | + GSS_C_DELEG_FLAG | + GSS_C_DELEG_POLICY_FLAG | + GSS_C_REPLAY_FLAG | + GSS_C_SEQUENCE_FLAG; + switch (auth_level) { + case DCERPC_AUTH_LEVEL_INTEGRITY: + gse_ctx->gss_c_flags |= GSS_C_INTEG_FLAG; + break; + case DCERPC_AUTH_LEVEL_PRIVACY: + gse_ctx->gss_c_flags |= GSS_C_CONF_FLAG; + break; + default: + break; + } + + gse_ctx->gss_c_flags |= add_gss_c_flags; + + /* Initialize Kerberos Context */ + initialize_krb5_error_table(); + + k5ret = krb5_init_context(&gse_ctx->k5ctx); + if (k5ret) { + DEBUG(0, ("Failed to initialize kerberos context! (%s)\n", + error_message(k5ret))); + status = NT_STATUS_INTERNAL_ERROR; + goto err_out; + } + + if (!ccache_name) { + ccache_name = krb5_cc_default_name(gse_ctx->k5ctx); + } + k5ret = krb5_cc_resolve(gse_ctx->k5ctx, ccache_name, + &gse_ctx->ccache); + if (k5ret) { + DEBUG(1, ("Failed to resolve credential cache! (%s)\n", + error_message(k5ret))); + status = NT_STATUS_INTERNAL_ERROR; + goto err_out; + } + + /* TODO: Should we enforce a enc_types list ? + ret = krb5_set_default_tgs_ktypes(gse_ctx->k5ctx, enc_types); + */ + + *_gse_ctx = gse_ctx; + return NT_STATUS_OK; + +err_out: + TALLOC_FREE(gse_ctx); + return status; +} + +NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, + enum dcerpc_AuthType auth_type, + enum dcerpc_AuthLevel auth_level, + const char *ccache_name, + const char *server, + const char *service, + const char *username, + const char *password, + uint32_t add_gss_c_flags, + struct pipe_auth_data **_auth) +{ + struct pipe_auth_data *auth; + struct gse_context *gse_ctx; + OM_uint32 gss_maj, gss_min; + gss_buffer_desc name_buffer = {0, NULL}; + gss_OID_set_desc mech_set; + NTSTATUS status; + + if (!server || !service) { + return NT_STATUS_INVALID_PARAMETER; + } + + auth = talloc(mem_ctx, struct pipe_auth_data); + if (auth == NULL) { + return NT_STATUS_NO_MEMORY; + } + + auth->auth_type = auth_type; + if (auth_type == DCERPC_AUTH_TYPE_SPNEGO) { + auth->spnego_type = PIPE_AUTH_TYPE_SPNEGO_KRB5; + } + auth->auth_level = auth_level; + + if (!username) { + username = ""; + } + + auth->user_name = talloc_strdup(auth, username); + if (!auth->user_name) { + status = NT_STATUS_NO_MEMORY; + goto err_out; + } + + /* Fixme, should we fetch/set the Realm ? */ + auth->domain = talloc_strdup(auth, ""); + if (!auth->domain) { + status = NT_STATUS_NO_MEMORY; + goto err_out; + } + + status = gse_context_init(auth, auth_type, auth_level, + ccache_name, add_gss_c_flags, + &gse_ctx); + if (!NT_STATUS_IS_OK(status)) { + goto err_out; + } + + name_buffer.value = talloc_asprintf(auth, "%s@%s", service, server); + if (!name_buffer.value) { + status = NT_STATUS_NO_MEMORY; + goto err_out; + } + name_buffer.length = strlen((char *)name_buffer.value); + gss_maj = gss_import_name(&gss_min, &name_buffer, + GSS_C_NT_HOSTBASED_SERVICE, + &gse_ctx->server_name); + if (gss_maj) { + DEBUG(0, ("gss_import_name failed for %s, with [%s]\n", + (char *)name_buffer.value, + gse_errstr(auth, gss_maj, gss_min))); + status = NT_STATUS_INTERNAL_ERROR; + goto err_out; + } + + /* TODO: get krb5 ticket using username/password, if no valid + * one already available in ccache */ + + mech_set.count = 1; + mech_set.elements = &gse_ctx->gss_mech; + + gss_maj = gss_acquire_cred(&gss_min, + gse_ctx->server_name, + GSS_C_INDEFINITE, + &mech_set, + GSS_C_INITIATE, + &gse_ctx->cli_creds, + NULL, NULL); + if (gss_maj) { + DEBUG(0, ("gss_acquire_creds failed for %s, with [%s]\n", + (char *)name_buffer.value, + gse_errstr(auth, gss_maj, gss_min))); + status = NT_STATUS_INTERNAL_ERROR; + goto err_out; + } + + auth->a_u.gssapi_state = gse_ctx; + *_auth = auth; + TALLOC_FREE(name_buffer.value); + return NT_STATUS_OK; + +err_out: + TALLOC_FREE(auth); + return status; +} + +NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, + struct gse_context *gse_ctx, + DATA_BLOB *token_in, + DATA_BLOB *token_out) +{ + OM_uint32 gss_maj, gss_min; + gss_buffer_desc in_data; + gss_buffer_desc out_data; + DATA_BLOB blob = data_blob_null; + NTSTATUS status; + + in_data.value = token_in->data; + in_data.length = token_in->length; + + gss_maj = gss_init_sec_context(&gss_min, + gse_ctx->cli_creds, + &gse_ctx->gss_ctx, + gse_ctx->server_name, + &gse_ctx->gss_mech, + gse_ctx->gss_c_flags, + 0, GSS_C_NO_CHANNEL_BINDINGS, + &in_data, NULL, &out_data, + NULL, NULL); + switch (gss_maj) { + case GSS_S_COMPLETE: + /* we are done with it */ + gse_ctx->more_processing = false; + status = NT_STATUS_OK; + break; + case GSS_S_CONTINUE_NEEDED: + /* we will need a third leg */ + gse_ctx->more_processing = true; + status = NT_STATUS_MORE_PROCESSING_REQUIRED; + break; + default: + DEBUG(0, ("gss_init_sec_context failed with [%s]\n", + gse_errstr(talloc_tos(), gss_maj, gss_min))); + status = NT_STATUS_INTERNAL_ERROR; + goto done; + } + + blob = data_blob_talloc(mem_ctx, out_data.value, out_data.length); + if (!blob.data) { + status = NT_STATUS_NO_MEMORY; + } + + gss_maj = gss_release_buffer(&gss_min, &out_data); + +done: + *token_out = blob; + return status; +} + +static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min) +{ + OM_uint32 gss_min, gss_maj; + gss_buffer_desc msg_min; + gss_buffer_desc msg_maj; + OM_uint32 msg_ctx = 0; + + char *errstr = NULL; + + ZERO_STRUCT(msg_min); + ZERO_STRUCT(msg_maj); + + gss_maj = gss_display_status(&gss_min, maj, GSS_C_GSS_CODE, + GSS_C_NO_OID, &msg_ctx, &msg_maj); + if (gss_maj) { + goto done; + } + gss_maj = gss_display_status(&gss_min, min, GSS_C_MECH_CODE, + discard_const(gss_mech_krb5), + &msg_ctx, &msg_min); + if (gss_maj) { + goto done; + } + + errstr = talloc_strndup(mem_ctx, + (char *)msg_maj.value, + msg_maj.length); + if (!errstr) { + goto done; + } + errstr = talloc_strdup_append_buffer(errstr, ": "); + if (!errstr) { + goto done; + } + errstr = talloc_strndup_append_buffer(errstr, + (char *)msg_min.value, + msg_min.length); + if (!errstr) { + goto done; + } + +done: + if (msg_min.value) { + gss_maj = gss_release_buffer(&gss_min, &msg_min); + } + if (msg_maj.value) { + gss_maj = gss_release_buffer(&gss_min, &msg_maj); + } + return errstr; +} + +DATA_BLOB gse_get_session_key(struct gse_context *gse_ctx) +{ + return gse_ctx->session_key; +} + +#else /* HAVE_GSSAPI_H */ + +NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, + enum dcerpc_AuthType auth_type, + enum dcerpc_AuthLevel auth_level, + const char *ccache_name, + const char *server, + const char *service, + const char *username, + const char *password, + uint32_t add_gss_c_flags, + struct pipe_auth_data **_auth) +{ + return NT_STATUS_NOT_IMPLEMENTED; +} + +NTSTATUS gse_gen_client_auth_token(TALLOC_CTX *mem_ctx, + struct gse_context *gse_ctx, + DATA_BLOB *auth_blob) +{ + return NT_STATUS_NOT_IMPLEMENTED; +} + +DATA_BLOB gse_get_session_key(struct gse_context *gse_ctx) +{ + return data_blob_null; +} + +#endif /* HAVE_GSSAPI_H */ diff --git a/source3/librpc/rpc/dcerpc_gssapi.h b/source3/librpc/rpc/dcerpc_gssapi.h new file mode 100644 index 0000000000..c172cacc14 --- /dev/null +++ b/source3/librpc/rpc/dcerpc_gssapi.h @@ -0,0 +1,47 @@ +/* + * GSSAPI Security Extensions + * RPC Pipe client routines + * Copyright (C) Simo Sorce 2010. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef _CLI_PIPE_GSSAPI_H_ +#define _CLI_PIPE_GSSAPI_H_ + +struct gse_context; + +#ifndef GSS_C_DCE_STYLE +#define GSS_C_DCE_STYLE 0x1000 +#endif + +NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, + enum dcerpc_AuthType auth_type, + enum dcerpc_AuthLevel auth_level, + const char *ccache_name, + const char *server, + const char *service, + const char *username, + const char *password, + uint32_t add_gss_c_flags, + struct pipe_auth_data **_auth); + +NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, + struct gse_context *gse_ctx, + DATA_BLOB *token_in, + DATA_BLOB *token_out); + +DATA_BLOB gse_get_session_key(struct gse_context *gse_ctx); + +#endif /* _CLI_PIPE_GSSAPI_H_ */ diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index f7bb9d000d..2d4ee562ad 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -30,6 +30,7 @@ #include "rpc_client/cli_netlogon.h" #include "librpc/gen_ndr/ndr_dcerpc.h" #include "librpc/rpc/dcerpc.h" +#include "librpc/rpc/dcerpc_gssapi.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_RPC_CLI @@ -947,61 +948,40 @@ static NTSTATUS rpc_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, Creates krb5 auth bind. ********************************************************************/ -static NTSTATUS create_krb5_auth_bind_req(struct rpc_pipe_client *cli, - enum dcerpc_AuthLevel auth_level, - DATA_BLOB *auth_info) +static NTSTATUS create_gssapi_auth_bind_req(TALLOC_CTX *mem_ctx, + struct pipe_auth_data *auth, + DATA_BLOB *auth_info) { -#ifdef HAVE_KRB5 - int ret; + DATA_BLOB in_token = data_blob_null; + DATA_BLOB auth_token = data_blob_null; NTSTATUS status; - struct kerberos_auth_struct *a = cli->auth->a_u.kerberos_auth; - DATA_BLOB tkt = data_blob_null; - DATA_BLOB tkt_wrapped = data_blob_null; - - DEBUG(5, ("create_krb5_auth_bind_req: creating a service ticket for principal %s\n", - a->service_principal )); - - /* Create the ticket for the service principal and return it in a gss-api wrapped blob. */ - - ret = cli_krb5_get_ticket(a, a->service_principal, 0, - &tkt, &a->session_key, - AP_OPTS_MUTUAL_REQUIRED, NULL, - NULL, NULL); - if (ret) { - DEBUG(1,("create_krb5_auth_bind_req: cli_krb5_get_ticket for principal %s " - "failed with %s\n", - a->service_principal, - error_message(ret) )); - - data_blob_free(&tkt); - return NT_STATUS_INVALID_PARAMETER; + /* Negotiate the initial auth token */ + status = gse_get_client_auth_token(mem_ctx, + auth->a_u.gssapi_state, + &in_token, + &auth_token); + if (!NT_STATUS_IS_OK(status)) { + return status; } - /* wrap that up in a nice GSS-API wrapping */ - tkt_wrapped = spnego_gen_krb5_wrap(talloc_tos(), tkt, TOK_ID_KRB_AP_REQ); - - data_blob_free(&tkt); - - status = dcerpc_push_dcerpc_auth(cli, - DCERPC_AUTH_TYPE_KRB5, - auth_level, + status = dcerpc_push_dcerpc_auth(mem_ctx, + auth->auth_type, + auth->auth_level, 0, /* auth_pad_length */ 1, /* auth_context_id */ - &tkt_wrapped, + &auth_token, auth_info); if (!NT_STATUS_IS_OK(status)) { - data_blob_free(&tkt_wrapped); + data_blob_free(&auth_token); return status; } - DEBUG(5, ("create_krb5_auth_bind_req: Created krb5 GSS blob :\n")); - dump_data(5, tkt_wrapped.data, tkt_wrapped.length); + DEBUG(5, ("Created GSS Authentication Token:\n")); + dump_data(5, auth_token.data, auth_token.length); + data_blob_free(&auth_token); return NT_STATUS_OK; -#else - return NT_STATUS_INVALID_PARAMETER; -#endif } /******************************************************************* @@ -1240,9 +1220,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx, break; case DCERPC_AUTH_TYPE_KRB5: - ret = create_krb5_auth_bind_req(cli, - auth->auth_level, - &auth_info); + ret = create_gssapi_auth_bind_req(mem_ctx, auth, &auth_info); if (!NT_STATUS_IS_OK(ret)) { return ret; } @@ -2369,74 +2347,6 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain, return NT_STATUS_NO_MEMORY; } -#ifdef HAVE_KRB5 -static int cli_auth_kerberos_data_destructor(struct kerberos_auth_struct *auth) -{ - data_blob_free(&auth->session_key); - return 0; -} -#endif - -static NTSTATUS rpccli_kerberos_bind_data(TALLOC_CTX *mem_ctx, - enum dcerpc_AuthLevel auth_level, - const char *service_princ, - const char *username, - const char *password, - struct pipe_auth_data **presult) -{ -#ifdef HAVE_KRB5 - struct pipe_auth_data *result; - - if ((username != NULL) && (password != NULL)) { - int ret = kerberos_kinit_password(username, password, 0, NULL); - if (ret != 0) { - return NT_STATUS_ACCESS_DENIED; - } - } - - result = talloc(mem_ctx, struct pipe_auth_data); - if (result == NULL) { - return NT_STATUS_NO_MEMORY; - } - - result->auth_type = DCERPC_AUTH_TYPE_KRB5; - result->spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE; - result->auth_level = auth_level; - - /* - * Username / domain need fixing! - */ - result->user_name = talloc_strdup(result, ""); - result->domain = talloc_strdup(result, ""); - if ((result->user_name == NULL) || (result->domain == NULL)) { - goto fail; - } - - result->a_u.kerberos_auth = TALLOC_ZERO_P( - result, struct kerberos_auth_struct); - if (result->a_u.kerberos_auth == NULL) { - goto fail; - } - talloc_set_destructor(result->a_u.kerberos_auth, - cli_auth_kerberos_data_destructor); - - result->a_u.kerberos_auth->service_principal = talloc_strdup( - result, service_princ); - if (result->a_u.kerberos_auth->service_principal == NULL) { - goto fail; - } - - *presult = result; - return NT_STATUS_OK; - - fail: - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; -#else - return NT_STATUS_NOT_SUPPORTED; -#endif -} - /** * Create an rpc pipe client struct, connecting to a tcp port. */ @@ -3339,12 +3249,12 @@ NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli, const struct ndr_syntax_id *interface, enum dcerpc_transport_t transport, enum dcerpc_AuthLevel auth_level, - const char *service_princ, + const char *server, const char *username, const char *password, struct rpc_pipe_client **presult) { -#ifdef HAVE_KRB5 +#ifdef HAVE_GSSAPI_H struct rpc_pipe_client *result; struct pipe_auth_data *auth; NTSTATUS status; @@ -3354,10 +3264,12 @@ NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli, return status; } - status = rpccli_kerberos_bind_data(result, auth_level, service_princ, - username, password, &auth); + status = gse_init_client(result, DCERPC_AUTH_TYPE_KRB5, auth_level, + NULL, server, "cifs", username, password, + GSS_C_DCE_STYLE, &auth); + if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("rpccli_kerberos_bind_data returned %s\n", + DEBUG(0, ("gse_init_client returned %s\n", nt_errstr(status))); TALLOC_FREE(result); return status; @@ -3406,9 +3318,7 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx, a->a_u.auth_ntlmssp_state); break; case PIPE_AUTH_TYPE_SPNEGO_KRB5: - sk = data_blob_const( - a->a_u.kerberos_auth->session_key.data, - a->a_u.kerberos_auth->session_key.length); + sk = gse_get_session_key(a->a_u.gssapi_state); break; default: return NT_STATUS_NO_USER_SESSION_KEY; @@ -3418,8 +3328,7 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx, sk = auth_ntlmssp_get_session_key(a->a_u.auth_ntlmssp_state); break; case DCERPC_AUTH_TYPE_KRB5: - sk = data_blob_const(a->a_u.kerberos_auth->session_key.data, - a->a_u.kerberos_auth->session_key.length); + sk = gse_get_session_key(a->a_u.gssapi_state); break; case DCERPC_AUTH_TYPE_NONE: sk = data_blob_const(a->user_session_key.data, |